From fefad3afd8d069a7a93d0b2558e7af6d098f255f Mon Sep 17 00:00:00 2001
From: pschork <354473+pschork@users.noreply.github.com>
Date: Tue, 28 Jan 2025 20:32:11 -0800
Subject: [PATCH] Fix CORs support in dataAPI (#1180)

---
 disperser/dataapi/v2/server_v2.go | 34 ++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/disperser/dataapi/v2/server_v2.go b/disperser/dataapi/v2/server_v2.go
index 0fb4604647..d4e68a89bb 100644
--- a/disperser/dataapi/v2/server_v2.go
+++ b/disperser/dataapi/v2/server_v2.go
@@ -210,10 +210,34 @@ func (s *ServerV2) Start() error {
 	}
 
 	router := gin.New()
+
+	// Add recovery middleware (best practice according to Cursor)
+	router.Use(gin.Recovery())
+
 	basePath := "/api/v2"
 	docsv2.SwaggerInfoV2.BasePath = basePath
 	docsv2.SwaggerInfoV2.Host = os.Getenv("SWAGGER_HOST")
 
+	// Configure CORS
+	config := cors.DefaultConfig()
+	config.AllowOrigins = s.allowOrigins
+	config.AllowCredentials = true
+	config.AllowMethods = []string{"GET", "POST", "HEAD", "OPTIONS"}
+	config.AllowHeaders = []string{"Origin", "Content-Type", "Accept", "Authorization"}
+	config.ExposeHeaders = []string{"Content-Length"}
+
+	if s.serverMode != gin.ReleaseMode {
+		config.AllowOrigins = []string{"*"}
+	}
+
+	// Apply CORS middleware before routes
+	router.Use(cors.New(config))
+
+	// Add OPTIONS handlers for all routes
+	router.OPTIONS("/*path", func(c *gin.Context) {
+		c.Status(http.StatusOK)
+	})
+
 	v2 := router.Group(basePath)
 	{
 		blobs := v2.Group("/blobs")
@@ -256,16 +280,6 @@ func (s *ServerV2) Start() error {
 		logger.WithSkipPath([]string{"/"}),
 	))
 
-	config := cors.DefaultConfig()
-	config.AllowOrigins = s.allowOrigins
-	config.AllowCredentials = true
-	config.AllowMethods = []string{"GET", "POST", "HEAD", "OPTIONS"}
-
-	if s.serverMode != gin.ReleaseMode {
-		config.AllowOrigins = []string{"*"}
-	}
-	router.Use(cors.New(config))
-
 	srv := &http.Server{
 		Addr:              s.socketAddr,
 		Handler:           router,